Malware Analysis Report

2025-01-18 21:28

Sample ID 240321-vz8jladb97
Target dc3372438fc7fc937515502a43c267f8
SHA256 d0fa2f18181e55b5f55e02e7b65759ceea3710db0a003a336968e205d808c2f5
Tags
adware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d0fa2f18181e55b5f55e02e7b65759ceea3710db0a003a336968e205d808c2f5

Threat Level: Shows suspicious behavior

The file dc3372438fc7fc937515502a43c267f8 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware stealer

Deletes itself

Checks computer location settings

Installs/modifies Browser Helper Object

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-21 17:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-21 17:26

Reported

2024-03-21 17:29

Platform

win7-20240221-en

Max time kernel

120s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FBEB472F-5293-428D-9ADF-BD6C17131EB7}\ = "Google Accelerator!" C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FBEB472F-5293-428D-9ADF-BD6C17131EB7} C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\googlece.dll C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe N/A
File opened for modification C:\Windows\SysWOW64\googlece.dll C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe N/A
File created C:\Windows\SysWOW64\sys.dat C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\@#$E$@#n%^a&^%b#$%l^%$e^& %^&B#$%r&^%o$%w@#$s^%$e&*r(*& &*E*^&x$^%t%$#e@#$n&^%s#%i*^o$%^n(&*s%^& = "yes" C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FBEB472F-5293-428D-9ADF-BD6C17131EB7} C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FBEB472F-5293-428D-9ADF-BD6C17131EB7}\ = "Google Accelerator!" C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FBEB472F-5293-428D-9ADF-BD6C17131EB7}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FBEB472F-5293-428D-9ADF-BD6C17131EB7}\InProcServer32\ = "%SystemRoot%\\SysWow64\\googlece.dll" C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FBEB472F-5293-428D-9ADF-BD6C17131EB7}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe

"C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C sys.bat

Network

N/A

Files

memory/2476-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2476-6-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sys.bat

MD5 2c395208e1b09d968e92510f1e9e0b4d
SHA1 78854688ebd2b36b92a74911e586ac5dc259c829
SHA256 49b705215361a2309143ac44d14149f9b3eb73efe444c44e7a30a393f5c74109
SHA512 3e0614a145eaba1fa458a57ed7d03cbd56643f68469a6c4fb52d4a9e812b4dc4f6c220104af40b0237aaaa852b4e285d6c3d013253377e2f1981b53d554d87e2

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-21 17:26

Reported

2024-03-21 17:29

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F05A0613-E859-45C1-9F62-5442D8CE0F9D} C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F05A0613-E859-45C1-9F62-5442D8CE0F9D}\ = "Google Accelerator!" C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\sys.dat C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe N/A
File created C:\Windows\SysWOW64\googlece.dll C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe N/A
File opened for modification C:\Windows\SysWOW64\googlece.dll C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\@#$E$@#n%^a&^%b#$%l^%$e^& %^&B#$%r&^%o$%w@#$s^%$e&*r(*& &*E*^&x$^%t%$#e@#$n&^%s#%i*^o$%^n(&*s%^& = "yes" C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F05A0613-E859-45C1-9F62-5442D8CE0F9D}\ = "Google Accelerator!" C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F05A0613-E859-45C1-9F62-5442D8CE0F9D}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F05A0613-E859-45C1-9F62-5442D8CE0F9D}\InProcServer32\ = "%SystemRoot%\\SysWow64\\googlece.dll" C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F05A0613-E859-45C1-9F62-5442D8CE0F9D}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F05A0613-E859-45C1-9F62-5442D8CE0F9D} C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe

"C:\Users\Admin\AppData\Local\Temp\dc3372438fc7fc937515502a43c267f8.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C sys.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 195.177.78.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
GB 96.17.178.209:80 tcp

Files

memory/3228-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3228-6-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sys.bat

MD5 2c395208e1b09d968e92510f1e9e0b4d
SHA1 78854688ebd2b36b92a74911e586ac5dc259c829
SHA256 49b705215361a2309143ac44d14149f9b3eb73efe444c44e7a30a393f5c74109
SHA512 3e0614a145eaba1fa458a57ed7d03cbd56643f68469a6c4fb52d4a9e812b4dc4f6c220104af40b0237aaaa852b4e285d6c3d013253377e2f1981b53d554d87e2